Microsoft banned employee use of Deepseek on security, propaganda grounds

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Testifying before the Senate Commerce Committee, Microsoft CEO Brad Smith said his company does not allow its employees to use an artificial intelligence app developed by Chinese AI startup Deepseek due to concerns related to data vulnerability and Chinese propaganda.

Smith said the company also doesn't carry Deepseek's application in its app store, flagging risks posed by "data going back to China and the app creating the kinds of content that people would say are associated with Chinese propaganda."

During the hearing, which focused on strengthening US AI capabilities, Smith also said the key to driving innovation and diffusion is to recognize that AI, like all general-purpose technologies, is built on a tech stack, at the bottom of which is the infrastructure layer.

Smith said that Microsoft is spending more than $80 billion this fiscal year on the capital investment needed for this layer, with more than half of this amount being spent in the United States to buy land, invest in electricity and broadband connectivity, procure chips like GPUs, and install liquid cooling. (Alexandra Alper / Reuters and Microsoft)

Related: Microsoft, Digital Watch Observatory, Cyber Daily, The Hindu, TechCrunch, Cryptopolitan

According to court documents filed in US Bankruptcy Court, the names and personal information of victims of sexual abuse by members of the Catholic archdioceses of Baltimore and New York may have been compromised by a cybersecurity breach in early March.

The breach affects at least ten bankruptcy proceedings involving dioceses and archdioceses nationwide, including Baltimore, Albany, Rochester, and Utica, New York, and several in California. The number of potential people exposed was unclear.

According to a letter from the Department of Justice, Berkeley Research Group (BRG), a financial advisory firm working on multiple church bankruptcy cases, notified federal trustees on April 28 about a data breach it discovered on March 2.

"Although such a large-scale data breach would be of concern to the United States Trustee in any bankruptcy case, that the breach occurred in archdiocesan and diocesan cases - where the claims information of sexual abuse survivors is the most sensitive and confidential of all information very concerning," Nan Roberts Eitel, Associate General Counsel for Chapter 11 Practice at the Justice Department wrote in the letter.

The DOJ asked BRG for more information about the breach and how it has been handled. They requested each known person's case name, number, and district and any other suspected cases. They want to know if potential victims have been notified and why BRG waited nearly two months between discovering the breach on March 2 and notifying the US Trustee Program on April 28. (Christian Olaniran / CBS News Baltimore)

Related: WYPR, The Baltimore Banner, Baltimore Fishbowl, Wall Street Journal, Hoodline

DOGE software engineer Kyle Schutt, who gained access to FEMA's "core financial management system," was apparently compromised with malware because his email address and passwords have shown up in four separate stealer log datasets, all of which have been published since late 2023.

According to HaveIBeenPwned, his personal email address appeared in 51 data breaches and 5 pastes. These include a 2013 breach of 153 million Adobe users, a 2016 breach of 164 million LinkedIn users, a 2020 breach of 167 million users from Gravatar, a 2024 breach of the conservative news site The Post Millennial, and many more.

Some of the datasets Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.

There is a good chance that the DOGE staff have been using their personal computers and that Schutt has spread malware across the federal government via his personal computer. (Ed. Note: Employees inside the government and federal contractors have told me multiple times over the past several months that DOGE workers routinely connect to federal government systems via their unvetted personal computers.) (Micah Lee)

Related: Ars Technica, Neowin

Japan's Financial Services Agency (FSA) reports that transactions from hacked brokerage accounts topped ¥300 billion ($2 billion) in the first four months of 2025,  reflecting a sharp rise in cases in which hackers are believed to have been manipulating stock prices via those accounts.

The number of unauthorized access cases to stockholder accounts soared from just 65 in January to 4,852 in April. Fraudulent trades similarly jumped from 39 to 2,746 over the same period.

The FSA figures showed that between January and April, there were 6,380 cases of unauthorized access and 3,505 instances of fraudulent trades. The transactions included about ¥161.2 billion in unauthorized selling and ¥143.7 billion in unauthorized purchases.

The FSA warned that these figures are provisional and likely the tip of the iceberg, as more cases could have gone unreported. (Jessica Speed / The Japan Times)

Related: Bloomberg, Financial Services Agency

Education giant Pearson said it suffered a cyberattack, allowing threat actors to steal corporate data and customer information, but it stated that the data was mostly "legacy data."

The statement follows sourcing saying that threat actors compromised Pearson's developer environment in January 2025 through an exposed GitLab Personal Access Token (PAT) found in a public .git/config file.

"We recently discovered that an unauthorized actor gained access to a portion of our systems," a Pearson representative said. "Once we identified the activity, we took steps to stop it and investigate what happened and what data was affected with forensics experts. We also supported law enforcement's investigation. We have taken steps to deploy additional safeguards onto our systems, including enhancing security monitoring and authentication."

"We are continuing to investigate, but at this time we believe the actor downloaded largely legacy data. We will be sharing additional information directly with customers and partners as appropriate."

Pearson also confirmed that the stolen data did not include employee information. (Lawrence Abrams / Bleeping Computer)

Related: The 420

In an advisory, the FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.

These devices, which were released many years back and agoonger receive security updates from their vendors, are vulnerable to external attacks leveraginthat leverage available exploits to inject persistent malware. 

Once compromised, they are added to residential proxy botnets that route malicious traffic. In many cases, these procybercriminals use these proxiesct malicious activities or cyberattacks.

The advisory lists the following EoL Linksys and Cisco models as common targets: Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, Linksys WRT320N, WRT310N, WRT610Nm Cradlepoint E100 and Cisco M10.

The FBI warns that Chinese state-sponsored actors have exploited known (n-day) vulnerabilities in these routers to conduct covert espionage campaigns, including operations targeting critical US infrastructure. (Bill Toulas / Bleeping Computer)

Related: IC3, PCMag, Forbes, Infosecurity Magazine, Tom's Guide, Cybernews

Indian intelligence authorities warn that amid rising tensions between India and Pakistan, multiple reports suggest that Pakistan has launched a lethal malware known as Dance of the Hillary that targets personal and financial information.

The malware is being spread through popular social media platforms such as WhatsApp, Facebook, Telegram, and emails, and is spread via video files and documents.

If the user opens the virus-infected files, the devices will become infected, allowing hackers unauthorised access to sensitive information such as your bank account information, passwords, and even confidential files. With this, hackers can steal data, change system settings, or gain complete control.  

India’s cybersecurity agencies have issued a warning to individuals to be extremely cautious of unsolicited messages or unfamiliar links. The authorities have also directed all departments to report suspicious cyber activity immediately, and public awareness campaigns are underway. (Ashish Singh / Digit)

Related: Times Bull, Deccan Chronicle, Pune Pulse, Business Today, Lokmat Times, Jagran English, Zee News, APAC News Network, News24, The Week, Digit, Times Now, India.com

Unitree Robotics, one of China’s leading robot manufacturers, said it shut down a third-party remote control service that had exposed its Go1 robot dog to potential hacking, allowing unauthorised users to gain control of the machine and access its video cameras.

The Hangzhou-based startup said in a post on social platform X on Wednesday that it identified a “security vulnerability” through which hackers obtained the management key for a third-party cloud tunnel service used by Go1.

The tunnel service, which enabled remote control of the Go1, was completely shut down in late March, shortly after tech bloggers and hackers Andreas Makris and Kevin Finisterre published their findings online.

Zhexi Cloud provided the service, and the bloggers reported that nearly 2,000 institutions, including US internet protocol addresses traced to the Massachusetts Institute of Technology, Princeton University, and Carnegie Mellon University, had connected to it.

Separately and unrelated, a viral video shows a Unitree H1 humanoid suspended from a construction crane when it lost control and wildly flailed its arms and legs.

It dragged its stand, crashing a computer and other items to the floor. As the incident unfolded, a man attempted to stabilize the robot. (Coco Feng / South China Morning Post and Mark Allinson / Robotics and Automation News)

Related: TechSpot, VNExpress, Metro, Notebookcheck, Times of India

Democratic Connecticut Sen. Chris Murphy, the ranking member on the Senate Appropriations Subcommittee on Homeland Security, slammed Homeland Security Secretary Kristi Noem at a hearing on the administration’s fiscal 2026 budget for slashing the budget of the Cybersecurity and Infrastructure Security Agency (CISA).

He said the CISA funding cuts were paying for the administration’s focus on the border and violated congressional mandates on how to spend appropriated dollars.

“As we speak, Russian and Chinese hackers are having a field day hacking our nation,” Murphy said. CISA has already forced out some personnel under Trump, and more cuts may be looming even before the proposed fiscal 2026 $491 million funding reduction.

It follows similar criticism from House appropriations Democrats on Tuesday. At another hearing on CISA’s budget proposal Thursday, one of those House members, Rep. Lauren Underwood of Illinois, the top Democrat on the House counterpart to Murphy’s subcommittee, was harsher in renewing that criticism. (Tim Starks / Cyberscoop)

Related: ABC News, Meritalk

Cisco fixed a maximum severity flaw in IOS XE Software for Wireless LAN Controllers by a hard-coded JSON Web Token (JWT) that allows an unauthenticated remote attacker to take over devices.

This token is meant to authenticate requests to a feature called 'Out-of-Band AP Image Download.' Since it's hard-coded, anyone can impersonate an authorized user without credentials.

The vulnerability is tracked as CVE-2025-20188 and has a maximum 10.0 CVSS score of 10.0, allowing threat actors to fully compromise devices.

Cisco has released security updates to address the critical vulnerability, system administrators are advised to apply them as soon as possible. (Bill Toulas / Bleeping Computer)

Related: Cisco, Security Affairs, GBHackers, The Cyber Express

SonicWall urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks.

Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances.

The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher.

"SonicWall strongly advises users of the SMA 100 series products (SMA 200, 210, 400, 410, and 500v) to upgrade to the mentioned fixed release version to address these vulnerabilities," SonicWall said. (Sergiu Gatlan / Bleeping Computer)

Related: SonicWall, Dark Reading, Security Week

Politically motivated Ukrainian hackers known as Cyber ATESH attacked the main ticketing platform in temporarily occupied Crimea, Kassa24.ru, which is used to promote the Russian propagandistic agenda, according to the movement's Telegram channel.

"By May 9, a day that once symbolized the end of war, we took down the Kassa24.ru website. It's the main ticketing resource in Crimea used to push the occupiers’ propaganda-driven cultural agenda," the statement said.

The partisans added that in the hands of the Putin regime, even Victory Day has become a tool of brainwashing. The memory of true heroism has been turned into a means of militarizing the population and justifying a new criminal war.

"Putin, like Hitler, spreads death under the guise of higher goals. We are fighting not just the army but also its ideological machine. And if they think they can hold parades and performances on occupied Ukrainian territory, they should be prepared for their entire digital storefront to be destroyed," ATESH emphasized. (Daryna Vialko / RBC-Ukraine)

Related: UNN, Espreso.tv

Researchers at Aikido report that an npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.

The 'rand-user-agent' package is a tool that generates randomized user-agent strings, which are helpful in web scraping, automated testing, and security research.

Although the package has been deprecated, it remains fairly popular, averaging 45,000 downloads weekly. 

However, threat actors took advantage of its semi-abandoned yet popular status to inject malicious code in unauthorized subsequent releases that are likely to have been downloaded by a significant number of downstream projects.

Aikido detected the compromise on May 5, 2025, when its malware analysis system flagged a new version of rand-user-agent, number 1.0.110.

The malicious versions have been removed from the package's repository on npm, so the latest available version is safe, and users should revert to it. (Bill Toulas / Bleeping Computer)

Related: Aikido

US District Judge Mark H. Cohen cleared the runway for a class action from disgruntled passengers against Delta Air Lines as turbulence from last year's CrowdStrike debacle continues to buffet the carrier.

Delta was one of the US airlines most severely hit by the outage, which was caused by a faulty software update issued by CrowdStrike that crashed millions of Windows devices worldwide.

Problems began on July 19, 2024, and although the broken update was swiftly dealt with, the damage had been done for many customers. "Delta cancelled more than 4,500 flights between Friday, July 19, and Sunday, July 21, 2024," say the plaintiffs.

Even after many other airlines managed to get back up and running, with most resuming normal operations by the end of the weekend, Delta "continued to cancel and delay a staggering number of flights – far more than any other airline," according to court documents [PDF].

Delta blamed its reliance on Microsoft software and the CrowdStrike incident for its woes. However, according to the plaintiffs in the action, both companies offered the airline assistance, which Delta turned down.

While Judge Cohen granted the airline's motion to dismiss some of the claims, he permitted others to proceed. He ordered that the parties file an Amended Joint Preliminary Report and Discovery Plan by May 20. (Richard Speed / The Register)

Related: Cyber Daily, Simple Flying, Insurance Journal, Australian Aviation, The Hill

Best Thing of the Day: Adding a Qualified Leader at the Pentagon

Donald Trump nominated Kirsten Davies, an industry veteran who has held top cyber roles at companies including Unilever and ​​Estée Lauder, to fill the Pentagon’s top tech post of CIO.

Worst Thing of the Day: Losing a Qualified Leader at the FBI

Bryan Vorndran, assistant director of the FBI's cyber division, who has helped guide the bureau to be more aggressive in disrupting malicious hackers and cybercrime gangs, will retire from the agency soon.

Closing Thought